ldap traffic is unencrypted between haproxy and container host

[baszoetekouw]

Currently the ldap container exposes a plain text port 389 to the outside. This means that all traffic between the haproxy and ldap container is plain text, which we don't want.

There are two solutions:

1. (preferrred) loop the ldap traffic also through Traefik; according to @quartje it is also able to handle plain TCP traffic and should be able to do TLS termination. This is the preferred solution, because it allows us to treat all containers and traffic (HTTP and TCP) identical, and we don't have to expose the ldap container port on the Docker host at all.
2. let slapd handle the TLS termination and expose an ldaps-port on the container host. In that case, make sure we expose a non-standard port (e.g., 1636 instead of 636).

[mrvanes]

No, LDAP traffic flow through traefik and traefik connects to 389 on the container host. Let's discuss when I'm back.

[mrvanes]

SURFConext test docker host needs extra config:

entryPoints:
  ldaps:
    address: ":636"

[mrvanes]

Enige uitstaande actie is de LDAP ACL configuratie op de loadbalancer (?) vanuit de SBS config.

[logan-life]

Needful config has been completed, needs another set of eyes to look at seeing if it works. Can the dirs on test2 be accessed via LDAP-S.

[baszoetekouw]

merged and deployed. Waiting for acl change in https://jira.ia.surf.nl/servicedesk/customer/portal/1/ISSD-28458

[logan-life]

ACL change ticket marked as Done

[mrvanes]

What is blocking this?
(Try connecting with pdp.test2.surfconext.nl:636 in Apache Directory Studio, VPN enabled)

The connection failed
 -  ERR_04110_CANNOT_CONNECT_TO_SERVER Cannot connect to the server: Connection refused
  org.apache.directory.studio.connection.core.io.StudioLdapException:  ERR_04110_CANNOT_CONNECT_TO_SERVER Cannot connect to the server: Connection refused
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.toStudioLdapException(DirectoryApiConnectionWrapper.java:1356)
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$4(DirectoryApiConnectionWrapper.java:1348)
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$1.run(DirectoryApiConnectionWrapper.java:247)
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1265)
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doConnect(DirectoryApiConnectionWrapper.java:269)
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.connect(DirectoryApiConnectionWrapper.java:160)
	at org.apache.directory.studio.connection.core.jobs.CheckNetworkParameterRunnable.run(CheckNetworkParameterRunnable.java:80)
	at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:140)
	at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:122)
Caused by: org.apache.directory.ldap.client.api.exception.InvalidConnectionException: ERR_04110_CANNOT_CONNECT_TO_SERVER Cannot connect to the server: Connection refused
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.close(LdapNetworkConnection.java:756)
	at org.apache.directory.ldap.client.api.LdapNetworkConnection.connect(LdapNetworkConnection.java:951)
	at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$1.run(DirectoryApiConnectionWrapper.java:235)
	... 6 more
Caused by: java.net.ConnectException: Connection refused
	at java.base/sun.nio.ch.Net.pollConnect(Native Method)
	at java.base/sun.nio.ch.Net.pollConnectNow(Net.java:682)
	at java.base/sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:973)
	at org.apache.mina.transport.socket.nio.NioSocketConnector.finishConnect(NioSocketConnector.java:223)
	at org.apache.mina.transport.socket.nio.NioSocketConnector.finishConnect(NioSocketConnector.java:47)
	at org.apache.mina.core.polling.AbstractPollingIoConnector$Connector.processConnections(AbstractPollingIoConnector.java:571)
	at org.apache.mina.core.polling.AbstractPollingIoConnector$Connector.run(AbstractPollingIoConnector.java:456)
	at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1583)

   ERR_04110_CANNOT_CONNECT_TO_SERVER Cannot connect to the server: Connection refused

[mrvanes]

For me, ldaps://pdp.test2.surfconext.nl:636/ from Apache Directorystudio now works as expected and the traefik loadbalancer on the container host only listens for :636.

[logan-life]

Solved for this particular case (test2, one host, all plaintext is localhost traffic) closing.